PDA

Visualizza versione completa : Trojan horse generic


imothep
09-10-2007, 15.04.56
Ho istallato AVG e da un paio di giorni mi appare spesso questo mesaggio:
THREAT DETECTED While opening file C:\windows\881843.exe Trojan horse generic5.HRZ. Ho avuto dei problemi poi risolti nei giorni scorsi grazie alla paziente assistenza degli utenti e moderatori del forum, adesso si presenta sto messaggio. Cos'e'? Ma con AVG dopo poco il messaggio scompare dove fa a finire? Ci sono delle possibilita' cioe' " Ignore, Info, Heal, Move to vault, cosa bisogna fare? Grazie.

crazy.cat
09-10-2007, 15.21.19
Prova con Heal e Move to vault se riesci ad eliminare il file.
altrimenti vediamo un altro log di hijackthis.

imothep
09-10-2007, 17.51.01
Prova con Heal e Move to vault se riesci ad eliminare il file.
altrimenti vediamo un altro log di hijackthis.
Ok Crazy grazie sei sempre presente, ti posto il log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.49.51, on 09/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\cFosSpeed\spd.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\cFosSpeed\cFosSpeed.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\TritaFile\TritaFile.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [cFosSpeed] C:\Programmi\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM] "C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocitÓ Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{13EBA7DC-E7FF-4D0B-BCD1-6AE170FCFA81}: NameServer = 85.37.17.9 85.38.28.75
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Programmi\cFosSpeed\spd.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ServiceLayer ServiceLayerVSS (ServiceLayerVSS) - Unknown owner - C:\WINDOWS\system32\3com_dmib.exe (file missing)

--
End of file - 6946 bytes

crazy.cat
09-10-2007, 19.25.04
Sono risaltati fuori un altra volta
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
Non Ŕ che frequenti un qualche sito infetto che ti scarica questi file?

Riutilizza di nuovo
http://www.mediafire.com/?0d22zx3wvyg
lo estrai in una cartella qualsiasi e lanci il file rimuovi.cmd

Poi rifai la scansione con hijackthis selezioni queste due righe e premi fix checked per eliminarle.
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe

Naviga con firefox o almeno aggiorna a internet explorer 7.

imothep
09-10-2007, 23.30.36
Sono risaltati fuori un altra volta
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
Non Ŕ che frequenti un qualche sito infetto che ti scarica questi file?

Riutilizza di nuovo
http://www.mediafire.com/?0d22zx3wvyg
lo estrai in una cartella qualsiasi e lanci il file rimuovi.cmd

Poi rifai la scansione con hijackthis selezioni queste due righe e premi fix checked per eliminarle.
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe

Naviga con firefox o almeno aggiorna a internet explorer 7.
Ok tnx!